9.3 - VU#248184

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Skype does not properly filter input from external websites

Informations
Name	VU#248184	First vendor Publication	2008-01-22
Vendor	VU-CERT	Last vendor Modification	2008-01-22
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#248184

Skype does not properly filter input from external websites

Overview

The Skype client does not properly filter user-supplied input from websites that provide video content to Skype users.

I. Description

Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems.

Skype users can include videos from the Dailymotion and other websites in their mood panel. Videos from these websites are also available via the Skype video browser. Skype does not properly filter user-supplied input that is provided from these third-party websites. An attacker may be able to exploit this vulnerability by uploading a specially crafted movie file to a site that provides video content to Skype users.

From SKYPE-SB/2008-001: Skype Cross Zone Scripting Vulnerability:

Description

Skype uses Internet Explorer web control to render HTML content. This is used also for providing "add video to mood" and "add video to chat" functionality.

This is realized over JS/ActiveX interface which allows scripts to be run in Local Zone security context of IE.

In order to exploit this an attacker must exploit code injection vulnerability at the partner site. Such vulnerability has been discovered in Dailymotion website.

Discussion

An attacker who constructs a Title of the video in a specific way can cause arbitrary code to be executed on targets PC.

For the vulnerability to be triggered, the target must find this video in Skype video gallery browser Dailymotion's section. Watching the video in a Skype chat or in a mood message is safe, as Internet Explorer control is not used.

The proof of concept has been made public by Aviv Raff and Miroslav Lucinskij.

II. Impact

A remote unauthenticated attacker may be able to execute arbitrary code.

III. Solution

Per SKYPE-SB/2008-001, Skype has temporarily disabled the ability to add videos from the Dailymotion site until an official fix has been made available. Note that the Dailymotion website contained an XSS vulnerability that could be used as an attack vector, and blocking new videos from the Dailymotion website will not completely address this issue.

Include Skype in the Local Machine Zone Lockdown

Configuring Skype to use the Local Machine Zone Lockdown may prevent this vulnerability from being exploited by preventing Skype from evaluating script in the Local Machine Zone. To set Skype in the Local Machine Zone, edit the HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_LocalMachine_Lockdown registry entry to include the DWORD value Skype.exe and set the Value data to 1. Skype must be completely quit and restarted for the changes to take effect.

Alternatively, the following text can be saved as a .REG file and imported:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_LocalMachine_Lockdown] "Skype.exe"=dword:00000001

Note that this workaround does not directly address the vulnerability, and may make cause some of Skype's features to fail or operate with limited functionality.

Systems Affected

Vendor	Status	Date Updated
Skype Technologies	Vulnerable	22-Jan-2008

References

http://seclists.org/fulldisclosure/2008/Jan/0328.html
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx
http://www.critical.lt/?opinions/show/1470
http://www.gnucitizen.org/blog/vulnerabilities-in-skype
http://skype.com/security/skype-sb-2008-001.html
http://technet.microsoft.com/en-us/library/bb490630.aspx
http://technet.microsoft.com/en-us/library/bb457150.aspx#EHAA

Credit

This vulnerability was disclosed by Miroslav Lucinskij.

This document was written by Ryan Giobbi.

Other Information

Date Public	01/17/2008
Date First Published	01/22/2008 04:15:00 PM
Date Last Updated	01/22/2008
CERT Advisory
CVE Name
Metric	36.09
Document Revision	41

Original Source

Url : http://www.kb.cert.org/vuls/id/248184

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26510

Oval ID:	oval:org.mitre.oval:def:26510
Title:	Cross-zone scripting vulnerability in the Internet Explorer web control
Description:	Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS."
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2008-0454	Version:	3
Platform(s):	Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows 8.1	Product(s):	Skype
Definition Synopsis:
Skype is installed AND Check if Skype file version is greater than or equal to 3.5.0.0 AND Check if Skype file version is less than or equal to 3.6.0.244

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Internet Explorer cpe:2.3:a:microsoft:internet_explorer::::::::	1
Application	Skype Technologies Skype cpe:2.3:a:skype_technologies:skype:3.6.0.244:::::::* cpe:2.3:a:skype_technologies:skype:3.6.0.216:::::::* cpe:2.3:a:skype_technologies:skype:3.6.0.159:beta:::::: cpe:2.3:a:skype_technologies:skype:3.6.0.127:beta:::::: cpe:2.3:a:skype_technologies:skype:3.6:::::::* cpe:2.3:a:skype_technologies:skype:3.5.0.239:::::::* cpe:2.3:a:skype_technologies:skype:3.5.0.234:::::::* cpe:2.3:a:skype_technologies:skype:3.5.0.229:::::::* cpe:2.3:a:skype_technologies:skype:3.5.0.214:::::::* cpe:2.3:a:skype_technologies:skype:3.5.0.202:::::::* cpe:2.3:a:skype_technologies:skype:3.5.0.178:beta:::::: cpe:2.3:a:skype_technologies:skype:3.5.0.158:beta:::::: cpe:2.3:a:skype_technologies:skype:3.5.0.107:beta:::::: cpe:2.3:a:skype_technologies:skype:3.5:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.82:beta:::::: cpe:2.3:a:skype_technologies:skype:3.2.0.63:beta:::::: cpe:2.3:a:skype_technologies:skype:3.2.0.53:beta:::::: cpe:2.3:a:skype_technologies:skype:3.2.0.175:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.163:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.158:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.152:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.148:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.145:::::::* cpe:2.3:a:skype_technologies:skype:3.2.0.115:beta:::::: cpe:2.3:a:skype_technologies:skype:3.2:::::::* cpe:2.3:a:skype_technologies:skype:3.1.0.152:::::::* cpe:2.3:a:skype_technologies:skype:3.1.0.150:::::::* cpe:2.3:a:skype_technologies:skype:3.1.0.147:::::::* cpe:2.3:a:skype_technologies:skype:3.1.0.144:::::::* cpe:2.3:a:skype_technologies:skype:3.1.0.134:beta:::::: cpe:2.3:a:skype_technologies:skype:3.1.0.112:beta:::::: cpe:2.3:a:skype_technologies:skype:3.1:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.218:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.217:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.216:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.214:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.209:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.205:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.198:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.190:::::::* cpe:2.3:a:skype_technologies:skype:3.0.0.154:beta:::::: cpe:2.3:a:skype_technologies:skype:3.0.0.137:beta:::::: cpe:2.3:a:skype_technologies:skype:3.0.0.123:beta:::::: cpe:2.3:a:skype_technologies:skype:3.0.0.106:beta:::::: cpe:2.3:a:skype_technologies:skype:2.5.79:::::::* cpe:2.3:a:skype_technologies:skype:2.5.78:::::::* cpe:2.3:a:skype_technologies:skype:2.5:::::::* cpe:2.3:a:skype_technologies:skype:2.0.105:::::::* cpe:2.3:a:skype_technologies:skype:2.0.104:::::::* cpe:2.3:a:skype_technologies:skype:2.0:::::::* cpe:2.3:a:skype_technologies:skype:1.5.80:::::::* cpe:2.3:a:skype_technologies:skype:1.5.0.79:::::::* cpe:2.3:a:skype_technologies:skype:1.4.0.83:::::::* cpe:2.3:a:skype_technologies:skype:1.4.0.78:::::::* cpe:2.3:a:skype_technologies:skype:1.4.0.71:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.66:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.60:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.57:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.55:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.54:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.51:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.48:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.45:::::::* cpe:2.3:a:skype_technologies:skype:1.3.0.16::mac_os_x::::: cpe:2.3:a:skype_technologies:skype:1.2.0.46:::::::* cpe:2.3:a:skype_technologies:skype:1.2.0.41:::::::* cpe:2.3:a:skype_technologies:skype:1.2.0.37:::::::* cpe:2.3:a:skype_technologies:skype:1.2.0.17::linux::::: cpe:2.3:a:skype_technologies:skype:1.2.0.0:::::::* cpe:2.3:a:skype_technologies:skype:1.1.06::pocket_pc::::: cpe:2.3:a:skype_technologies:skype:1.1.0.79:::::::* cpe:2.3:a:skype_technologies:skype:1.1.0.73:::::::* cpe:2.3:a:skype_technologies:skype:1.1.0.61:::::::* cpe:2.3:a:skype_technologies:skype:1.1.0.20::linux::::: cpe:2.3:a:skype_technologies:skype:1.1.0.20:::::::* cpe:2.3:a:skype_technologies:skype:1.1.0.0:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.97:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.94:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.9:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.7::linux::::: cpe:2.3:a:skype_technologies:skype:1.0.0.29:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.18:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.100:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.10:::::::* cpe:2.3:a:skype_technologies:skype:1.0.0.1::linux::::: cpe:2.3:a:skype_technologies:skype:1.0.0.1:::::::* cpe:2.3:a:skype_technologies:skype:0.98.0.27:::::::* cpe:2.3:a:skype_technologies:skype:0.98.0.04:::::::* cpe:2.3:a:skype_technologies:skype:0.93.0.3::linux::::: cpe:2.3:a:skype_technologies:skype:0.92.0.12::linux::::: cpe:2.3:a:skype_technologies:skype:0.92.0.12:::::::* cpe:2.3:a:skype_technologies:skype::::::::	92

Open Source Vulnerability Database (OSVDB)

Id	Description
42864	Skype Internet Explorer Web Control Video Gallery Metacafe Movie Title Cross-...
42863	Skype Internet Explorer Web Control Dailymotion Title Field Cross-zone Scripting

Nessus® Vulnerability Scanner

Date	Description
2008-02-07	Name : The remote Skype client is affected by a remote code execution issue through ... File : skype_2008_001.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	93
osvdb(s)	2
Nessus® Exploit(s)	1

	Related
9.3	CVE-2008-0454
4.3	VU#794236
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)